Grinex, a cryptocurrency exchange registered in Kyrgyzstan and sanctioned by the United States, announced it has halted operations following a significant security breach. The exchange stated that attackers drained digital wallets belonging to Russian users, with conflicting reports on the exact value of stolen assets.
According to Grinex’s official statement, the exchange lost more than 1 billion Russian rubles, equivalent to approximately $13.7 million, in the incident. The company attributed the attack to “western special services” hackers, claiming the digital footprint and nature of the breach indicate involvement by foreign intelligence agencies with “an unprecedented level of resources and technology.”
Blockchain intelligence firm TRM Labs confirmed the theft and reported a higher valuation, stating that researchers discovered roughly 70 drained addresses and put the value of stolen assets at $15 million. This figure exceeds Grinex’s estimate by about $1.3 million, with TRM noting the discrepancy arose from identifying approximately 16 additional compromised addresses not initially reported by the exchange.
Neither TRM Labs nor fellow blockchain analysis firm Elliptic has disclosed technical details about how the attackers bypassed Grinex’s security defenses. Both firms have refrained from attributing the breach to any specific state or organization, despite Grinex’s public allegations.
Grinex said it has faced near-constant attack attempts since its incorporation 16 months prior to the incident. The exchange emphasized that the latest operation specifically targeted Russian individuals and businesses using its platform for cryptocurrency-ruble transactions.
Grinex Links Attack to Russia’s Financial Sovereignty
In its public statement, Grinex claimed the attack was “coordinated with the aim of causing direct damage to Russia’s financial sovereignty.” The exchange argued that the sophistication of the operation — including the use of decentralized protocols to move and convert stolen funds — points to state-backed actors rather than typical cybercriminal groups.
The exchange highlighted its role in facilitating crypto-ruble exchange operations between Russian entities, noting that its services have been used to bypass international sanctions affecting traditional banking channels. Grinex launched a ruble-backed stablecoin named A7A5, which was originally developed by its predecessor, Garantex, another exchange sanctioned by the U.S. Treasury.
In August 2025, the U.S. Department of the Treasury formally sanctioned Grinex, citing evidence that it continued the illicit operations of Garantex, including processing over $100 million in suspicious transactions and enabling money laundering for Russia-linked actors. Despite the sanctions, Grinex remained operational, providing what it described as financial sovereignty for Russian users unable to access global banking systems.
Blockchain Firms Confirm Movement of Stolen Funds
Elliptic reported that the stolen assets were transferred from Grinex’s wallets to addresses on the TRON and Ethereum blockchains at approximately 12:00 UTC on Wednesday. The funds were subsequently converted into TRX and ETH through the SunSwap decentralized trading protocol, a common method used to obscure transaction trails.
TRM Labs added that two wallets associated with TokenSpot, a Kyrgyzstan-based exchange with on-chain links to Grinex, sent approximately $5,000 to the same consolidation address used by the Grinex attacker. TokenSpot acknowledged a brief platform outage on April 15, followed by a resumption of full operations the next day, though it did not confirm any direct connection to the Grinex breach.
Neither Elliptic nor TRM Labs has accused Grinex or TokenSpot of involvement in the attack. Both firms maintain that their role is limited to blockchain analysis and threat intelligence, without assigning blame or confirming state sponsorship.
Context of Sanctions Evasion Allegations
Grinex has been widely regarded by U.S. Authorities as the successor to Garantex, which was shut down after its administrator was arrested and its domains seized over allegations of processing illicit funds and facilitating sanctions evasion. Founders and operators of both exchanges have been accused of enabling Russian entities to move value outside the traditional financial system amid ongoing geopolitical tensions.
Elliptic founder Tom Robinson has publicly stated that Grinex served as the primary platform for trading the A7A5 stablecoin, which he described as “created as part of a Russian sanctions evasion enterprise.” Despite these claims, Grinex has consistently denied engaging in illegal activity, asserting in past statements that it “strongly condemns any form of illegal activity, including sanctions evasion and money laundering.”
The exchange maintains that its services are designed to support legitimate commerce and financial inclusion for users in regions underserved by global banking networks. However, regulators and blockchain analysts continue to monitor its operations closely due to its historical ties to sanctioned entities and its presence in high-risk jurisdictions.
As of the latest update, Grinex has transferred all available information related to the breach to law enforcement agencies and filed a criminal complaint at the location of its infrastructure. The exchange has not provided a timeline for resuming operations, stating only that it will do so once security enhancements are completed and approved.
For ongoing developments regarding this incident, readers are encouraged to monitor official statements from Grinex, advisories from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), and published analyses from blockchain security firms such as Elliptic and TRM Labs.